rspamd: authenticate via sso

2024-11-15 05:13:10 +01:00 · 2024-05-24 00:22:19 +02:00 · 2024-05-24 00:22:19 +02:00 · 16f3500f09
parent 7372df381d
commit 16f3500f09
2 changed files with 15 additions and 1 deletions
--- a/hosts/falkenstein/modules/mail/rspamd.nix
+++ b/hosts/falkenstein/modules/mail/rspamd.nix
@ -7,7 +7,7 @@
      postfix.enable = true;
      locals = {
        "worker-controller.inc".text = ''
-          password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
+          secure_ip = "0.0.0.0/0";
        '';
        "redis.conf".text = ''
          read_servers = "/run/redis-rspamd/redis.sock";
@ -39,6 +39,18 @@
      };
    };
    caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
+
+      # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+      reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+      # forward authentication to authentik
+      forward_auth http://nuc.vpn.rfive.de:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+      }
+
      reverse_proxy 127.0.0.1:11334
    '';
  };
--- a/hosts/nuc/modules/authentik/default.nix
+++ b/hosts/nuc/modules/authentik/default.nix
@ -20,4 +20,6 @@ in
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    reverse_proxy localhost:9000
  '';
+  # open the firewall for proxy auth
+  networking.firewall.allowedTCPPorts = [ 9000 ];
 }